C:\windows\system32\taskmon.exe

[paddyc]

I have just upgraded Avast Home Edition to version 4.8.1290 as I was getting the red circle in the icon and this seems to have resolved that problem.

However once the upgrade was loaded Avast reported a suspicious file as above with the information Rootkit:Hidden Process listed underneath. Options were to delete or ignore and I chose to delete as I know that it may have been a legitimate file for windows 98 but not for XP which is what I am running.

I then followed this up with a boot scan as recommended by Avast which came back clean. On my next reboot Avast again reported this same file  and again I deleted it. On next reboot it was reported again but this time I did a search of my system for the file and could not find it.

So why is Avast finding something that is not there and which it is supposed to have deleted??

Mystified!

PS When I right click on the avast icon and get the pop up box and select an option that option stays on the screen in a translucent blue colour and stays there no matter what I am running. Only way to get rid of it is to reboot.

[WangoTango]

Did you check to see if taskmon.exe is running at startup in msconfig?

If not go to Start>Run>msconfig. Go to the startup tab and see if you see it. If you do, uncheck it if it's checked and reboot.

[Maxx_original]

have you sent the file to us via the antirootkit dialog?

[Lisandro]

I'm not sure this will help, but this link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

[Maxx_original]

this is most probably not a false detection... google the name and path and you'll get some hits related to malware.. the best what can the user do is to send us the sample and the exact detection will be added..

[paddyc]

Hi Guys

wango Tango - did a check on msconfig and nothing showing there.

maxx_original I did do a google and realised that it was probably malware as iI am using XP and taskmon should only be in 98. I have since read some of the posts on this web site and have downloaded Superantispyware and Malawarebytes and run these which found various adware in the registry but nothing else.

maxx - how do I do the antirootkit dialog? When the suspicious warnings came up there was an option there to send the file to Avast which I left ticked before I ticked the delete - so I presumed that the file had already been sent. Was I wrong in my thinking?

[WangoTango]

I suggest downloading Spybot and then update it. If it has anything to do with any of the W32 Worms/Trojans, it'll find it for you. Has a database of over 300,000 .

[Lisandro]

I suggest downloading Spybot and then update it. If it has anything to do with any of the W32 Worms/Trojans, it'll find it for you. Has a database of over 300,000 .

I'd rather use MBAM or SuperAntispyware.

[paddyc]

Hi Guys,

I have run Spy Bot and adaware and both of these have come up clean. As I said before I have also run superantispyware and malwarebytes and they only found small adware problems in the registry which have been cleared as spybot and adware did not pick anything up. I should mention that I am also running Spy Blaster.

However Avast continues to report this suspicious file which does not exist. I have even hunted for it while Avast is in the process of reporting it. Nothing in the directory, nothing in start up and nothing in processes.

Maybe I should mention that I have another thread running where it appears that I had a serious trojan backdoor file callled ._file[1].exe which Avast picked up as win32:invo (cryp) and put in the chest - could this be related?

Other thread is here http://forum.avast.com/index.php?topic=40244.0 I will mention this thread on the other one as well.

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest (if there), you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[paddyc]

Hi Davidr,

I cannot post the file anywhere as it does not appear to exist. Avast reports it as a suspicious file and offers me the option to delete it or ignore it and to send the file to Avast. I have tried all of these options but Avast continues to report it the next time I log in. I cannot find any reference to the file on the computer.

[DavidR]

What suspicious file and location ?

If you put the file in the chest then it should exist, which is why I suggested extracting it from the chest.

If it is still the taskmon.exe of the subject then it must also exist or avast wouldn't detect it.

Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.

[Maxx_original]

the file was sent to us while you've updated your VPS... since you've selected to delete it, it shouldn't be present on your PC.. the file has been analysed by Misak and the exact detection for it is maybe done already..

[Lisandro]

the file was sent to us while you've updated your VPS... since you've selected to delete it, it shouldn't be present on your PC..

Can you send back to the user?

the file has been analysed by Misak and the exact detection for it is maybe done already..

Thanks.

[paddyc]

Sorry guys but this detection is not going away.

Avast again reported the file when I started up this morning -as it has done every day since I first reported it - which was following the update of the Avast software.

It is not in the chest -that is not an option that Avast allowed. It says delete or ignore - if you select delete Avast then warns that it was in the memory and needs to do a boot scan. Have done these several times with nothing reported. Have given up doing the boot scan and I am simply telling it to delete.

Every time I tell it to delete the option to send the file to Avast is ticked so if the file is there then Avast should have received numerous copies of this same file - name and location is as per the title of this topic.

Davidr I have run the search facilities including all system and hidden files, checked msconfig startup and services, taskmanager processes and anything else I can think of BEFORE telling Avast to delete it and I cannot find this file. Numerous spyware detection programs are not finding anything it is a complete mystery.